2019-05-17 15:03:35 +03:00
Authentication using JWT
========================
2018-09-11 14:11:24 +03:00
2018-12-03 15:12:24 +03:00
.. contents :: Table of contents
:backlinks: none
:depth: 1
:local:
2019-05-17 15:03:35 +03:00
Introduction
------------
2019-09-11 10:17:14 +03:00
You can configure the GraphQL engine to use JWT authorization mode to authorize all incoming requests to the Hasura GraphQL engine server.
2018-09-11 14:11:24 +03:00
2019-09-11 10:17:14 +03:00
The idea is that your auth server will return JWT tokens, which are decoded and
2019-10-26 07:13:38 +03:00
verified by the GraphQL engine, to authorize and get metadata about the request
2018-09-11 14:11:24 +03:00
(`` x-hasura-* `` values).
2019-05-17 15:03:35 +03:00
.. thumbnail :: ../../../../img/graphql/manual/auth/jwt-auth.png
2018-09-11 14:11:24 +03:00
2018-10-19 19:59:18 +03:00
The JWT is decoded, the signature is verified, then it is asserted that the
2018-11-29 12:41:59 +03:00
current role of the user (if specified in the request) is in the list of allowed roles.
2019-09-11 10:17:14 +03:00
If the current role is not specified in the request, then the default role is applied.
2018-11-29 12:41:59 +03:00
If the authorization passes, then all of the `` x-hasura-* `` values in the claim
2019-09-11 10:17:14 +03:00
are used for the permissions system.
2018-09-11 14:11:24 +03:00
2019-05-17 15:03:35 +03:00
.. admonition :: Prerequisite
It is mandatory to first :doc: `secure your GraphQL endpoint <../../deployment/securing-graphql-endpoint>` for the JWT mode to take effect.
2018-09-11 14:11:24 +03:00
2019-05-17 15:03:35 +03:00
In JWT mode, on a secured endpoint:
2019-09-11 10:17:14 +03:00
- JWT authentication is **enforced** when the `` X-Hasura-Admin-Secret `` header is **not found** in the request.
- JWT authentication is **skipped** when the `` X-Hasura-Admin-Secret `` header **is found** in the request and
2019-05-17 15:03:35 +03:00
admin access is granted.
2018-09-11 14:11:24 +03:00
TL;DR
-----
1. The JWT must contain: `` x-hasura-default-role `` , `` x-hasura-allowed-roles ``
in a custom namespace in the claims.
2. Other optional `` x-hasura-* `` fields (required as per your defined
2018-10-04 07:09:47 +03:00
permissions).
2019-07-05 11:43:02 +03:00
3. You can send `` x-hasura-role `` as header in the request to indicate a role.
2018-09-11 14:11:24 +03:00
4. Send the JWT via `` Authorization: Bearer <JWT> `` header.
2018-09-27 14:22:49 +03:00
2018-09-11 14:11:24 +03:00
The Spec
--------
When your auth server generates the JWT, the custom claims in the JWT **must contain**
the following:
2019-07-05 11:43:02 +03:00
1. A `` x-hasura-default-role `` field : indicating the default role of that user i.e. the role that will be
2019-10-26 07:13:38 +03:00
used in case `` x-hasura-role `` header is not passed.
2019-07-05 11:43:02 +03:00
2. A `` x-hasura-allowed-roles `` field : a list of allowed roles for the user i.e. acceptable values of the
2019-10-26 07:13:38 +03:00
`` x-hasura-role `` header.
2018-09-11 14:11:24 +03:00
2019-09-11 10:17:14 +03:00
The claims in the JWT can have other `` x-hasura-* `` fields where their values
2018-09-11 14:11:24 +03:00
can only be strings. You can use these `` x-hasura-* `` fields in your
permissions.
2019-09-11 10:17:14 +03:00
Now the JWT should be sent by the client to the Hasura GraphQL engine via the
2018-09-11 14:11:24 +03:00
`` Authorization: Bearer <JWT> `` header.
Example JWT claim:
.. code-block :: json
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"iat": 1516239022,
"https://hasura.io/jwt/claims": {
"x-hasura-allowed-roles": ["editor","user", "mod"],
"x-hasura-default-role": "user",
"x-hasura-user-id": "1234567890",
"x-hasura-org-id": "123",
"x-hasura-custom": "custom-value"
}
}
This contains standard (`` sub `` , `` iat `` etc.) and custom (`` name `` , `` admin ``
etc.) JWT claims, as well as Hasura specific claims inside a custom namespace
2018-10-15 11:47:21 +03:00
(or key) i.e. `` https://hasura.io/jwt/claims `` .
2018-09-11 14:11:24 +03:00
The `` https://hasura.io/jwt/claims `` is the custom namespace where all Hasura
specific claims have to be present. This value can be configured in the JWT
config while starting the server.
**Note** : `` x-hasura-default-role `` and `` x-hasura-allowed-roles `` are
2019-09-11 10:17:14 +03:00
mandatory, while the rest of them are optional.
2018-09-11 14:11:24 +03:00
.. note ::
2019-09-11 10:17:14 +03:00
All `` x-hasura-* `` values should be of type `` String `` , they will be converted to the
2018-09-11 14:11:24 +03:00
right type automatically.
2019-09-11 10:17:14 +03:00
The default role can be overridden by the `` x-hasura-role `` header, while making a
2018-09-11 14:11:24 +03:00
request.
.. code-block :: http
2019-05-10 09:05:11 +03:00
POST /v1/graphql HTTP/1.1
2018-09-11 14:11:24 +03:00
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWI...
X-Hasura-Role: editor
...
Configuring JWT mode
--------------------
You can enable JWT mode by using the `` --jwt-secret `` flag or
`` HASURA_GRAPHQL_JWT_SECRET `` environment variable; the value of which is a
2019-01-21 15:08:32 +03:00
JSON object:
2018-09-11 14:11:24 +03:00
2019-08-20 15:39:57 +03:00
.. code-block :: none
2018-09-11 14:11:24 +03:00
{
"type": "<standard-JWT-algorithms>",
2018-09-27 14:22:49 +03:00
"key": "<optional-key-as-string>",
"jwk_url": "<optional-url-to-refresh-jwks>",
2019-02-05 15:04:16 +03:00
"claims_namespace": "<optional-key-name-in-claims>",
2019-07-09 18:09:32 +03:00
"claims_format": "json|stringified_json",
"audience": <optional-string-or-list-of-strings-to-verify-audience>,
"issuer": "<optional-string-to-verify-issuer>"
2018-09-11 14:11:24 +03:00
}
2019-02-05 15:04:16 +03:00
`` key `` or `` jwk_url `` , **one of them has to be present** .
2018-09-11 14:11:24 +03:00
`` type ``
^^^^^^^^
Valid values are : `` HS256 `` , `` HS384 `` , `` HS512 `` , `` RS256 `` ,
`` RS384 `` , `` RS512 `` . (see https://jwt.io).
`` HS* `` is for HMAC-SHA based algorithms. `` RS* `` is for RSA based signing. For
example, if your auth server is using HMAC-SHA256 for signing the JWTs, then
use `` HS256 `` . If it is using RSA with 512-bit keys, then use `` RS512 `` . EC
public keys are not yet supported.
`` key ``
^^^^^^^
2018-10-15 11:47:21 +03:00
- In case of symmetric key (i.e. HMAC based key), the key as it is. (e.g. -
2019-04-06 05:50:16 +03:00
"abcdef..."). The key must be long enough for the algorithm chosen,
(e.g. for HS256 it must be at least 32 characters long).
2018-10-04 17:30:01 +03:00
- In case of asymmetric keys (RSA etc.), only the public key, in a PEM encoded
2018-09-27 14:22:49 +03:00
string or as a X509 certificate.
This is an optional field. You can also provide a URL to fetch JWKs from using
the `` jwk_url `` field.
`` jwk_url ``
^^^^^^^^^^^
A URL where a provider publishes their JWKs (which are used for signing the
JWTs). The URL **must** publish the JWKs in the standard format as described in
2019-09-11 10:17:14 +03:00
https://tools.ietf.org/html/rfc7517.
2018-09-27 14:22:49 +03:00
This is an optional field. You can also provide the key (certificate, PEM
2019-10-26 07:13:38 +03:00
encoded public key) as a string - under the `` key `` field.
2018-09-27 14:22:49 +03:00
**Rotating JWKs** :
2019-09-11 10:17:14 +03:00
Some providers rotate their JWKs (e.g. Firebase). If the provider sends an
`` Expires `` header with the response of JWK, then the GraphQL engine will refresh
the JWKs automatically. If the provider does not send an `` Expires `` header, the
2018-09-27 14:22:49 +03:00
JWKs are not refreshed.
**Example** :
2018-09-11 14:11:24 +03:00
2018-09-27 14:22:49 +03:00
- Auth0 publishes their JWK url at: `` https://<YOUR_AUTH0_DOMAIN>.auth0.com `` .
But Auth0 has a bug. See known issues: :ref: `auth0-issues` .
- Firebase publishes their JWK url at:
2018-10-04 07:09:47 +03:00
`` https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com `` .
2018-09-11 14:11:24 +03:00
`` claims_namespace ``
^^^^^^^^^^^^^^^^^^^^
2019-10-26 07:13:38 +03:00
This is an optional field. You can specify the key name,
2019-09-11 10:17:14 +03:00
inside which the Hasura specific claims will be present, e.g. `` https://mydomain.com/claims `` .
2018-09-11 14:11:24 +03:00
**Default value** is: `` https://hasura.io/jwt/claims `` .
2019-02-05 15:04:16 +03:00
`` claims_format ``
2019-03-13 13:03:45 +03:00
^^^^^^^^^^^^^^^^^
2019-02-05 15:04:16 +03:00
This is an optional field, with only the following possible values:
- `` json ``
- `` stringified_json ``
Default is `` json `` .
2019-10-26 07:13:38 +03:00
This is to indicate whether the Hasura specific claims are a regular JSON object
or a stringified JSON.
2019-02-05 15:04:16 +03:00
2019-09-11 10:17:14 +03:00
This is required because providers like AWS Cognito only allow strings in the
2019-02-05 15:04:16 +03:00
JWT claims. `See #1176 <https://github.com/hasura/graphql-engine/issues/1176> `_ .
Example:-
If `` claims_format `` is `` json `` then JWT claims should look like:
.. code-block :: json
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"iat": 1516239022,
"https://hasura.io/jwt/claims": {
"x-hasura-allowed-roles": ["editor","user", "mod"],
"x-hasura-default-role": "user",
"x-hasura-user-id": "1234567890",
"x-hasura-org-id": "123",
"x-hasura-custom": "custom-value"
}
}
If `` claims_format `` is `` stringified_json `` then JWT claims should look like:
.. code-block :: json
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"iat": 1516239022,
"https://hasura.io/jwt/claims": "{\"x-hasura-allowed-roles\":[\"editor\",\"user\",\"mod\"],\"x-hasura-default-role\":\"user\",\"x-hasura-user-id\":\"1234567890\",\"x-hasura-org-id\":\"123\",\"x-hasura-custom\":\"custom-value\"}"
}
2019-07-09 18:09:32 +03:00
`` audience ``
^^^^^^^^^^^^
This is an optional field. Certain providers might set a claim which indicates
the intended audience for the JWT. This can be checked by setting this field.
When this field is set, during the verification process of JWT, the `` aud ``
claim in the JWT will be checked if it is equal to the `` audience `` field given
in the configuration.
See `RFC <https://tools.ietf.org/html/rfc7519#section-4.1.3> `__ for more details.
This field can be a string, or a list of strings.
Examples:
.. code-block :: json
{
"type": "RS512",
"jwk_url": "https://......",
"audience": "myapp-1234"
}
or
.. code-block :: json
{
"type": "RS512",
"jwk_url": "https://......",
"audience": ["myapp-1234", "myapp-6789"]
}
2019-07-16 14:13:00 +03:00
.. admonition :: Important!
Certain JWT providers share JWKs between multiple tenants. They use the
`` aud `` claim of JWT to specify the intended audience for the JWT. Setting
the `` audience `` field in the Hasura JWT configuration will make sure that
the `` aud `` claim from the JWT is also checked during verification. Not doing
this check will allow JWTs issued for other tenants to be valid as well.
2019-10-26 07:13:38 +03:00
In these cases, you **MUST** set the `` audience `` field to the appropriate value.
Failing to do so is a major security vulnerability.
2019-07-16 14:13:00 +03:00
2019-07-09 18:09:32 +03:00
`` issuer ``
^^^^^^^^^^
This is an optional field. It takes a string value.
When this field is set, during the verification process of JWT, the `` iss ``
claim in the JWT will be checked if it is equal to the `` issuer `` field given
in the configuration.
See `RFC <https://tools.ietf.org/html/rfc7519#section-4.1.1> `__ for more details.
Examples:
.. code-block :: json
{
"type": "RS512",
"jwk_url": "https://......",
"issuer": "https://my-auth-server.com"
}
2019-07-16 14:13:00 +03:00
.. note ::
Certain providers require you to verify the `` iss `` claim on the JWT. To do
that you can set this field to the appropriate value.
2019-07-09 18:09:32 +03:00
2019-07-11 12:58:39 +03:00
2018-09-11 14:11:24 +03:00
Examples
^^^^^^^^
HMAC-SHA based
2018-11-18 09:08:10 +03:00
++++++++++++++
2018-10-04 17:30:01 +03:00
Your auth server is using HMAC-SHA algorithms to sign JWTs, and is using a
2018-10-15 08:03:47 +03:00
256-bit key. In this case, the JWT config will look like:
2018-09-11 14:11:24 +03:00
.. code-block :: json
{
"type":"HS256",
"key": "3EK6FD+o0+c7tzBNVfjpMkNDi2yARAAKzQlk8O2IKoxQu4nF7EdAh8s3TwpHwrdWT6R"
}
2018-09-27 14:22:49 +03:00
2018-11-08 09:21:13 +03:00
The `` key `` is the actual shared secret, which is used by Hasura and the external auth server.
2018-09-11 14:11:24 +03:00
RSA based
+++++++++
2019-09-11 10:17:14 +03:00
If your auth server is using RSA to sign JWTs, and is using a 512-bit key,
2019-10-26 07:13:38 +03:00
the JWT config only needs to have the public key.
2018-09-27 14:22:49 +03:00
**Example 1** : public key in PEM format (not OpenSSH format):
2018-09-11 14:11:24 +03:00
.. code-block :: json
{
"type":"RS512",
"key": "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRjogo3WojgGHFHYLugd\nUWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQs\nHUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5D\no2kQ+X5xK9cipRgEKwIDAQAB\n-----END PUBLIC KEY-----\n"
}
2018-09-27 14:22:49 +03:00
**Example 2** : public key as X509 certificate:
.. code-block :: json
{
"type":"RS512",
"key": "-----BEGIN CERTIFICATE-----\nMIIDHDCCAgSgAwIBAgIINw9gva8BPPIwDQYJKoZIhvcNAQEFBQAwMTEvMC0GA1UE\nAxMmc2VjdXJldG9rZW4uc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20wHhcNMTgQt7dIsMTIU9k1SUrFviZOGnmHWtIAw\nmtYBcM9I0f9/ka45JIRp5Y1NKpAMFSShs7Wv0m1JS1kXQHdJsPSmjmDKcwnBe3R/\nTU3foRRywR/3AJRM15FNjTqvUm7TeaW16LkkRoECAwEAAaM4MDYwDAYDVR0TAQH/\nBAIwADAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwIwDQYJ\nKoZIhvcNAQEFBQADggEBADfY2DEmc2gb8/pqMNWHYq/nTYfJPpK4VA9A0lFTNeoq\nzmnbGwhKj24X+Nw8trsvkrKxHvCI1alDgBaCyzjGGvgOrh8X0wLtymp1yj6PWwee\nR2ZPdUaB62TCzO0iRv7W6o39ey+mU/FyYRtxF0ecxG2a0KNsIyFkciXUAeC5UVDo\nBNp678/SDDx9Ltuxc6h56a/hpBGf9Yzhr0RvYy3DmjBs6eopiGFmjnOKNxQrZ5t2\n339JWR+yiGEAtoHqk/fINMf1An6Rung1xYowrm4guhCIVi5unAvQ89fq0I6mzPg6\nLhTpeP0o+mVYrBmtYVpDpv0e71cfYowSJCCkod/9YbY=\n-----END CERTIFICATE-----"
}
**Example 3** : public key published as JWKs:
.. code-block :: json
{
"type":"RS512",
"jwk_url": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com"
}
2018-09-11 14:11:24 +03:00
Running with JWT
^^^^^^^^^^^^^^^^
Using the flag:
.. code-block :: shell
$ docker run -p 8080:8080 \
hasura/graphql-engine:latest \
graphql-engine \
--database-url postgres://username:password@hostname:port/dbname \
serve \
2019-02-14 12:37:47 +03:00
--admin-secret myadminsecretkey \
2018-09-11 14:11:24 +03:00
--jwt-secret '{"type":"HS256", "key": "3EK6FD+o0+c7tzBNVfjpMkNDi2yARAAKzQlk8O2IKoxQu4nF7EdAh8s3TwpHwrdWT6R"}'
Using env vars:
.. code-block :: shell
$ docker run -p 8080:8080 \
2019-02-14 12:37:47 +03:00
-e HASURA_GRAPHQL_ADMIN_SECRET="myadminsecretkey" \
2018-09-11 14:11:24 +03:00
-e HASURA_GRAPHQL_JWT_SECRET='{"type":"RS512", "key": "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRjogo3WojgGHFHYLugd\nUWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQs\nHUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5D\no2kQ+X5xK9cipRgEKwIDAQAB\n-----END PUBLIC KEY-----\n"}' \
hasura/graphql-engine:latest \
graphql-engine \
--database-url postgres://username:password@hostname:port/dbname \
serve
2018-09-27 14:22:49 +03:00
2019-07-16 14:13:00 +03:00
Security considerations
-----------------------
Setting audience check
^^^^^^^^^^^^^^^^^^^^^^
Certain JWT providers share JWKs between multiple tenants (like Firebase). They use the `` aud `` claim of JWT to specify the intended tenant for the JWT. Setting the `` audience `` field in the Hasura JWT configuration will make sure that the `` aud `` claim from the JWT is also checked during verification. Not doing this check will allow JWTs issued for other tenants to be valid as well.
2019-10-26 07:13:38 +03:00
In these cases, you **MUST** set the `` audience `` field to appropriate value. Failing to do so is a major security vulnerability.
2019-07-16 14:13:00 +03:00
2018-12-03 15:12:24 +03:00
Popular providers and known issues
----------------------------------
2018-09-27 14:22:49 +03:00
Firebase
^^^^^^^^
2018-11-18 09:08:10 +03:00
This page of Firebase `docs <https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library> `__
2018-09-27 14:22:49 +03:00
mentions that JWKs are published under:
https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com .
But that is a non-standard format. Firebase also publishes the same certificates
as proper JWK format under:
2018-10-04 07:09:47 +03:00
https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com .
2018-09-27 14:22:49 +03:00
If you are using Firebase and Hasura, use this config:
.. code-block :: json
2019-07-09 18:09:32 +03:00
{
"type":"RS256",
"jwk_url": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com",
"audience": "<firebase-project-id>",
"issuer": "https://securetoken.google.com/<firebase-project-id>"
}
2018-09-27 14:22:49 +03:00
.. _auth0-issues:
Auth0
^^^^^
2018-11-18 09:08:10 +03:00
2019-05-17 15:03:35 +03:00
Refer the :doc: `Auth0 JWT Integration guide <../../guides/integrations/auth0-jwt>` for a full integration guide
2019-09-11 10:17:14 +03:00
with Auth0.
2018-11-18 09:08:10 +03:00
2018-09-27 14:22:49 +03:00
Auth0 publishes their JWK under:
`` https://<your-auth0-domain>.auth0.com/.well-known/jwks.json ``
But they have a `bug where the certificate thumbprint does not match
2018-11-18 09:08:10 +03:00
<https://community.auth0.com/t/certificate-thumbprint-is-longer-than-20-bytes/7794/3> `__.
2018-09-27 14:22:49 +03:00
Hence, currently this URL does not work with Hasura.
Current workaround is - download the X590 certificate from:
`` https://<your-auth0-domain>.auth0.com/pem ``
And use it in the `` key `` field:
.. code-block :: json
{
"type":"RS512",
"key": "-----BEGIN CERTIFICATE-----
MIIDDTCAfWgAwIBAgIJhNlZ11IDrxbMA0GCSqSIb3DQEBCwUAMCQxIjAgBgNV
BAMTGXlc3QtaGdlLWp3C5ldS5hdXRoMC5jb20HhcNMTgwNzMwMTM1MjM1WhcN
MzIwND3MTM1MjM1WjAkSIwIAYDVQQDExl0ZXNLWhnZS1qd3QuZXUuYXV0aDAu
Y29tMIBIjANBgkqhkiGw0BAQEFAAOCAQ8AMIICgKCAQEA13CivdSkNzRnOnR5
ZNiReD+AgbL7BWjRiw3RwjxRp5PYzvAGuj94yR6LRh3QybYtsMFbSg5J7fNq6
Ld6yMpMrUu8CBOnYY456b/2jlf+Vp8vEQuKvPOOw8Ev6x7X3blcuXCELSwyL3
AGHq9OP2RV6V6CIE863zzuYH5HDLzU35oMZqogJVRJM0+6besH6TnSTNiA7xi
BAqFaiRNQRVi1CAUa0bkN1XRp4AFy7d63VldOsM+8QnCNHySdDr1XevVuq6DK
LQyGexFy4niALgHV0Q7A+xP1c2G6rJomZmn4j1avnlBpU87E58JMrRHOCj+5m
Xj22/QDAQABo0IwQDAPgNVHRMBAf8EBTADAQHMB0GA1UdDgQWBBT6FvNkuUgu
tk3OYQi4lo5aOgwazAOgNVHQ8BAf8EBAMCAoQDQYJKoZIhvcNAQELBQADggEB
ADCLj+L22pEKyqaIUlhUJh7DAiDSLafy0fw56CntzPhqiZVVRlhxeAKidkCLV
r9IEbRuxUoXiQSezPqM//9xHegMp0f2VauVCFg7EpUanYwvqFqjy9LWgH+SBz
4uroLSZ5g1EPsHtlArLChA90caTX4e7Z7Xlu8G2kHRJB5nC7ycdbMUvEWBMeI
tn/pcbmZ3/vlgj4UTEnURe2UPmSJpxmPwXqBcvwdKHRMgFXhZxojWCi0z4ftf
f8t8UJIcbEblnkYe7wzYy8tOXoMMHqGSisCdkp/866029rJsKbwd8rVIyKNC5
frGYaw+0cxO6/WvSir0eA=
-----END CERTIFICATE-----
"
}
2018-11-15 16:21:25 +03:00
2019-01-04 17:01:18 +03:00
Generating JWT Config
---------------------
2018-11-15 16:21:25 +03:00
2019-01-04 17:01:18 +03:00
The JWT Config to be used in env `` HASURA_GRAPHQL_JWT_SECRET `` or `` --jwt-secret `` flag can be generated using:
https://hasura.io/jwt-config.
**Currently the UI supports generating config for Auth0 and Firebase** .
The config generated from this page can be directly pasted in yaml files and command line arguments as it takes
care of escaping new lines.
2018-11-15 16:21:25 +03:00
2019-05-17 15:03:35 +03:00
.. thumbnail :: ../../../../img/graphql/manual/auth/jwt-config-generated.png
2019-03-13 13:03:45 +03:00
:width: 75%
2019-01-04 17:01:18 +03:00
2019-05-17 15:03:35 +03:00
Auth JWT Examples
-----------------
Here are some sample apps that use JWT authorization. You can follow the instructions in the READMEs of the
repositories to get started.
- `Auth0 JWT example <https://github.com/hasura/graphql-engine/tree/master/community/sample-apps/todo-auth0-jwt> `__ :
2019-09-11 10:17:14 +03:00
A todo app that uses Hasura GraphQL engine and Auth0 JWT
2019-01-04 17:01:18 +03:00
2019-05-17 15:03:35 +03:00
- `Firebase JWT example <https://github.com/hasura/graphql-engine/tree/master/community/sample-apps/firebase-jwt> `__ :
2019-07-09 18:09:32 +03:00
Barebones example to show how to have Firebase Auth integrated with Hasura JWT mode